Microsoft Azure Active Directory

Pros

Best-in-class integration with both Active Directory (AD) and Office 365.
Most cost-effective option for multifactor authentication (MFA).
Premium service offers licenses for Microsoft Identity Management.
Advanced reports offer insights that are unavailable in other solutions.

Cons

Default architecture synchronizes passwords, a potential area of concern for IT security pros.
Focus on support for Active Directory (AD) leaves alternatives out in the cold.
Advanced reports only available with Premium tier.
Free and Basic service levels limit users to 10 single sign-on (SSO) applications.

Bottom Line

Microsoft's Azure Active Directory (Azure AD) gets a leg up on the competition due to tight integration with Microsoft flagship Windows Server Active Directory (AD) and Office 365.
Azure AD also has advanced toolsets for managing identities and identifying the Software-as-a-Service (SaaS) apps used by your organization.

July 1, 2017

Microsoft has been an industry leader in several core IT categories for decades, and one in which the company has had an effective stranglehold is on-premises network directories. Windows Server Active Directory (AD) is used by corporations and governments throughout the world and is the gold standard for enterprise Identity Management (IDM) in the enterprise. In addition to advanced features and tight integration with the world's most popular on-premises directory, Microsost Azure AD's pricing is very competitive in the Identity Management-as-a-Service (IDaaS) space, offering a free tier, a basic tier for $1 per user per month, and two premium tiers that run $6 and $9 per month, respectively. Advanced features, tight integration with the leading on-premises IDM platform, and a new and friendly price all combine to elevate Azure AD to an Editors' Choice in the IDaaS space alongside Okta Identity Management.

Setup and Connecting With On-Prem AD

For obvious reasons, the most common use for Azure AD remains companies looking to integrate an existing, on-premises AD domain with applications running in the cloud and even users connecting via the internet. To provide the guts that will bridge on-premises AD with Azure AD, the most popular Microsoft solution is Azure AD Connect, a synchronization tool freely available from Microsoft. Many competitors offer similar synching tools to connect their IDaaS products to on-premises AD domains, but Azure AD Connect is a good example of how to do it right. The biggest difference between Azure AD Connect and other synchronization tools is that Azure AD Connect offers secure password synchronization, which allows the authentication process to happen within Azure AD rather than the user's credentials being validated against the corporate AD. The biggest difference between Azure AD Connect and other synchronization tools is that Azure AD Connect synchronizes passwords by default and the authentication process happens within Azure AD rather than the user's credentials being validated against the corporate AD. Many organizations may have policy issues with synchronizing password hashes to the cloud, making Azure AD Connect password synchronization a potential problem.

Azure AD also supports the use of Active Directory Federation Services (ADFS). Traditionally used to provide authenication capabilities for external apps or services, ADFS forces authentication requests to be performed using your local AD, however, it has its own set of requirements and configuration steps that make it far more complex than competing products with similar authentication functionality. The ideal option is something along the lines of Ping Identity's PingFederate, which provides identity federation with minimal configuration, but will allow you to fine-tune every aspect of the federation process.

The newest option for integrating AD with Azure AD still uses the Azure AD Connect agent, but offers a federated option. One common complaint about Azure AD among larger companies is the lack of middle ground between synchronization using Azure AD Connect and federation using ADFS. Pass-through Authentication uses Azure AD Connect to offer a simple path to federated access to your identities in AD. In theory, pass-through authentication offers the best of both worlds, keeping identities and authentication on-premises, but eliminating the need for ADFS. An additional benefit of pass-through authentication over ADFS is that connectivity is agent-based, eliminating the need for firewall rules or placement within a DMZ. This functionality is more in line with much of Azure AD's competition, including Okta, OneLogin, Bitium, and Centrify. Pass-through authentication is currently in preview, with general availability expected within the next few months.

Directory Integration

It seems safe to expect a Microsoft IDaaS solution to integrate tightly with AD, and Azure AD doesn't disappoint. Attribute synchronization can be configured with Azure AD Connect and can later be mapped within individual Software-as-a-Service (SaaS) app configurations. Azure AD also supports having password changes written back to AD when they occur in Microsoft Office 365 or the Azure AD user portal. This feature is available in competitors such as OneLogin and Editors' Choice winner Okta Identity Management, but may require additional software or changes to the default synchronization policy.

Another major integration point for Azure AD is for customers using Microsoft Exchange for their mail services, particularly for those using Exchange or Exchange Online in conjunction with Office 365 in a hybrid cloud scenario, where all or part of the email service is hosted in an on-premises data center while the other resources are hosted in the cloud. On installation, Azure AD Connect will recognize additional schema attributes that indicate an Exchange installation and will automatically synchronize these attributes. Azure AD also has the ability to synchronize Office 365 groups back to AD as distribution groups.

Windows 10 also brings new capabilities to integrate with Azure AD. Windows 10 supports joining devices to Azure AD as an alternative to your corporate AD. Be careful, however, as the functionality differs significantly between connecting a device to Azure AD versus joining a device to traditional on-premises AD. That's because once connected to Azure AD, the Windows 10 device becomes managed through Azure AD and Microsoft's mobile device management (MDM) tools rather than Group Policy. The big benefit for Azure AD users is that authentication to the user portal is seamless as the user is already authenticated to the device, and Windows 10 apps such as Mail and Calendar will recognize if an Office 365 account is available and be automatically configured. The log-in process is very similar to the default log-in style in Windows 8 where it asks for your Microsoft account details.

Microsoft Identity Manager

Rarely does a large enterprise rely on a single source for identities. Whether it's a combination of Active Directory and a human resources (HR) system, multiple Active Directory forests, or relationships to business partners, additional complexity is inevitable in larger businesses. Microsoft's solution for integrating multiple identity providers is Microsoft Identity Manager. While it is a distinct software package, client access licenses are included in the Azure AD Premium tiers. Azure AD B2B Collaboration (Azure AD B2B) provides a means to offer business partners access to corporate apps. Though currently in preview, Azure AD B2B facilitates collaboration with business partners, offering them access to apps without requiring the creation of user accounts in Active Directory or an Active Directory trust.

True single sign-on (SSO) support using directory credentials is now supported using Azure AD when using password sync or pass-through authentication. Previously only ADFS offered this functionality. Users can now authenticate to Azure AD and their SaaS apps without providing credentials assuming they meet the technical requirements (namely a domain-joined Windows computer, supported browser version, etc.). SSO for corporate desktop users is also currently in preview.

Consumer IDM

Azure AD B2C is Microsoft's consumer-facing IDM. It allows users to authenticate to your services or apps using existing credentials they've already established with other cloud services such as Google or Facebook. Azure AD B2C supports both OAuth 2.0 and Open ID Connect, and Microsoft provides a variety of options for integrating the service with your app or service.

Pricing for the B2C offering is separate from the standard Azure AD tiers, and are broken down by the number of stored users per authentication and the number of authentications. Stored users are free up to 50,000 users, and begin at $0.0011 per authentication up to 1 million. The first 50,000 authentications per month are also free, and begin at $0.0028 per authentication up to 1 million. Multifactor authentication is also available for Azure AD B2C, and runs a standard $0.03 per authentication.

User Provisioning

Azure AD offers a similar feature set to most IDaaS vendors when it comes to getting users and groups set up to assign and provision access to SaaS apps. Both users and security groups can be synchronized using Azure AD Connect, or users and groups can be added manually within Azure AD. Unfortunately, there's no way to hide users or groups in Azure AD so customers in large enterprises will need to frequently avail themselves of the search features in order to navigate to specific users or groups. Azure AD does allow you to create dynamic groups based on attribute-based queries using a feature (currently in preview) called advanced rules.

Azure AD supports automatic provisioning of users in SaaS apps and has the distinct advantage of working exceptionally well with Office 365 deployments. When possible, Azure AD simplifies this process as in the case of Google Apps. With a simple four-step process, Azure AD prompts you for your Google Apps login and requests your permission to configure Google Apps for automatic user provisioning.

Single Sign-On

Microsoft's end user portal is similar to much of the competition, offering a grid of app icons directing users to SSO apps. If admins choose, the Azure AD user portal can be configured to allow self-service actions such as password resets, app requests, or group membership requests and approvals. Office 365 subscribers have the added benefit of being able to add SSO applications to the Office 365 app menu, providing convenient access to critical business apps from within Outlook or other Office 365 offerings.

Azure AD supports security policies tied to individual apps, letting you require multi-factor authentication (MFA). Typically, MFA involves a security device or token of some sort (such as a smart card) or even a smartphone app that needs to be present prior to log-in. Azure AD can support MFA for individual users, groups, or based on network location. Okta Identity Management handles their security policies in the same way. In general, we'd prefer security policies to be separated out so the same policy could be applied to multiple apps, but at least you have the ability to configure multiple policies.

One unique feature Microsoft offers in Azure AD Premium can help get your company started on identifying SaaS apps already in use by your organization. Cloud App Discovery uses software agents to begin to analyze user behavior in regards to SaaS apps, helping you hone in on the apps most commonly used in your organization and begin to manage those at an enterprise level.

The traditional scenario for IDaaS solutions involves authenticating users to cloud apps using credentials originating from an on-premises directory. Azure AD pushes those boundaries by enabling authentication to on-premises apps using Application Proxy, which uses an agent to allow users to securely connect to apps through Azure. Because of the agent-based architecture used by Application Proxy, there is no need for open firewall ports to internal corporate apps. Finally, Azure AD Domain Services can be leveraged to offer a directory contained within Azure, providing a traditional domain environment for authenticating users to virtual machines hosted in Azure. Azure AD Application Proxy can also be configured to use conditional access policies to enforce additional authentication rules (such as MFA) when certain conditions are met.

Azure AD handles more than 1.3 billion authentications every day. This sheer scale allows Microsoft to offer at least one service with which few IDM solutions can currently compete, and that's Azure AD Identity Protection. This feature uses the full breadth of Microsoft's cloud services (Outlook.com, Xbox Live, Office 365, and Azure) as well as machine learning (ML) to provide unparalleled risk analysis for identities stored in Azure AD. Using this data, Microsoft detects patterns and anomalies with which it can calculate a risk score for each user and each sign-in. Microsoft also actively monitors security breaches involving credentials, going so far as to evaluate these breaches for credentials within your organization that are potentially compromised. Once this risk score has been calculated administrators can leverage it in authentication policies, which then lets them tack on additional sign-in requirements such as MFA or a password reset.

Reporting

The report set Microsoft offers with Azure AD depends upon your service level. Even the free and basic tiers offer basic security reports, which are canned reports showing basic activity and usage logs. Premium subscribers gain access to an advanced set of reports which leverage Azure's machine learning capabilities to give insights on anomalous behavior such as successful authentication attempts after repeated failures, those from multiple geographies, or those from suspicious IP addresses.

Azure AD doesn't offer a full reporting suite but the canned reports available to Premium customers are much more sophisticated than what competitors offer. In the end, I really liked the level of insight you get with the canned reports in Azure AD Premium, even weighed against the lack of scheduling or custom reports.

Pricing

Azure AD's pricing begins with a free tier that supports up to 500,000 directory objects (in this case, that means users and groups) and up to 10 single sign-on (SSO) apps per user. The Free version of Azure AD is automatically included with Office 365 subscriptions, in which situation the object limit does not apply. With a retail price of $1 per user per month, the Basic tier of Azure AD is extremely competitive. The Basic service adds capabilities such as branding for the user portal and group-based SSO access and provisioning so, in order to automatically create user accounts in SaaS apps, you'll need the Basic tier.

The Basic tier retains the 10 app per user limit, but adds the ability to support on-premises apps using Application Proxy. The Premium P1 and P2 tiers in Azure AD remove the limits from the amount of SSO apps users can have and add self-service and MFA capabilities for $6 and $9 per user per month respectively. Both Azure AD Premium tiers also include user Client Access Licenses (CALs) for Microsoft Identity Manager (formerly Forefront Identity Manager), which can be used to synchronize and manage identities in databases, apps, other directories, and more. Premium tiers also bring Conditional Access and Intune MDM licenses to the table, upping the security capabilities in a big way. The major benefits of the Premium P2 tier over Premium P1 are Identity Protection and Privileged Identity Management, both of which qualify as industry-leading security features.

Another pricing consideration is the ability to license Azure's MFA service separately from Azure AD, which has two benefits: First, MFA can be added to the Free or Basic Azure AD tiers for $1.40 per user per month or 10 authentications (whichever best fits your use case), bringing the total cost of the Basic service with MFA to $2.40 per user. Second, you can choose to only enable MFA for a subset of your user base, potentially saving a substantial amount of money each month.

Azure AD covers the majority of the core features you should be looking for in an IDaaS provider. It brings to the table some enterprise-level tools you'd expect from a company like Microsoft. Features such as Application Proxy and Identity Protection are among the best in class or, quite simply, have no competition. The pricing is very competitive, and integration with Office 365 and other Microsoft products and services are solid and constantly evolving. Azure AD joins Okta Identity Management as an Editors' Choice in the IDaaS category.